Crunch time for the digital entertainment industry

The blowup over Sony BMG's XCP digital-rights management software shows how the entertainment industry needs to wise up to technology pitfalls as the world increasingly goes digital. Entertainment companies aren't software companies, but, in essence, they're distributing software. And that's especially apt when they load DRM software on CDs and DVDs. This puts them in an awkward position. As product companies shipping music on CDs and movies on DVDs, they're accustomed to the idea of offering recalls on faulty products. But, in the software world, faulty products are patched, not replaced. Sony distributed a patch for XCP, but, in addition, it offered to replace nearly 5 million copies of 52 music CDs it had distributed with the flawed DRM software. If that becomes the new standard for the entertainment industry in situations like this, an industry already seriously wounded by illegal copying will be spilling even more blood.

Is it fair? Probably not. After all, Microsoft doesn't replace copies of Windows or Office if vulnerabilities in the code are exploited by virus writers. And some of these things have a lot more impact than Sony's glitch--which didn't result in a big virus outbreak.

Take the Sober worm. It has been in circulation since late 2003, and, this month won the dubious distinction of being the most widely distributed piece of malware. It hijacks Windows-based computers and forces them to send out spam e-mails that overwhelm servers and networks. At its peak this month, the Sober-Z variant accounted for one in every 13 e-mails sent. Imagine the financial blow to Microsoft if it had to replace all the software products that Sober-Z exploits.

Sony BMG, under extreme pressure to do the right thing, did the right thing. Now we'll see if replacing CDs and DVDs, rather than just patching them, becomes the must-do response for the digital entertainment industry.

06:55 AM

Sony BMG

TrackBack URL for this entry:

http://blogs.businessweek.com/mt/mt-tb.cgi/

Hmmm...just how, pray tell, does a company ship a patch for a CD? Last I heard, CDs were read-only media.

I also beg to differ that Sony "did the right thing." Sure, the recall was a step in the right direction, but as Business Week has pointed out, the recall hasn't exactly been carried out with a great deal of energy:

The fundamental issue Sony is facing is that the content on CDs is not encrypted, unlike DVDs, iTunes files, WMVs and other, newer industry-blessed formats. Sony can't ship CDs with encryption - millions upon millions of CD players would not be able to play the discs. So they are falling back on another option, which is to intall software on users' computers that interferes with the normal playback behavior of CD drives. In other words, they are corrupting their customers' machines. This is completely unacceptable. If Sony is hellbent on shipping all their music in copy-protected format, they should stop selling CDs; because you can't copy-protect CDs without corrupting your customers' computers.

Posted by: Doug Lay at December 2, 2005 07:58 AM

It's amazing this is tech beat. It is not possible to patch a CD or DVD, thus a recall is the correct action.

Don't give Sony too much credit. They installed spyware on users machine without notice or permission. Sony was informed of the security issues and tried to keep it quiet a month before it was independently found.

An possibly the worst - Sony "stole" portion of the XCP program from the open source community without following licensing requirement. (They stole other intellectual property to try to protect their own!)

Posted by: ab at December 2, 2005 10:00 AM

What are you trying to do, prop up your Sony stock so you can sell it? You are doing a disservice to your readers by comparing Sony's rootkit, on what people expect to be a MUSIC CD, to an operating system, which people expect to be complex software. Furthermore the malware Sony used was secretly installed and so poorly written that it consumes 1 to 2% of systems processing power. Furthermore you cannot protect your computer form vulnerabilities YOU DON'T KNOW YOU HAVE! Do you really want to see a dozen different variations of this type of software from different companies using 10-20% of your system resources? I don't have nearly enough room to go into the problems with Sony's EULA or the other DRM made by Suncomm. If this article is the best you can do, you may want to find another line of work.

Posted by: J Bergquist at December 2, 2005 10:43 AM

Wait a second... The cases are completely different.

Sony had no choice but to recall the infected CD's. To make a parallel case, if Microsoft were distributing CD's of Microsoft Office that happened to have a malicious virus on them, do you think they would continue to ship them, or would they recall them from stores and replace them?

Microsoft's patches are to fix inadvertent mistakes in the proper functioning of their systems.

Sony's software was clearly malicious- it fits any conventional definition of spyware and malware. They deliberately degraded the functionality of the computers it was installed on. In many cases, removing it caused the operating system to fail. Sony's music division is clearly so technically clueless that they didn't (and probably still don't) understand the dangers of what they did.

Sony didn't do the right thing- they are still shipping MediaMax DRM, which installs it's software EVEN IF YOU TELL IT NOT TO (see http://www.freedom-to-tinker.com/?p=936) . They are walking right into a RICO prosecution and serious legal headaches.

Posted by: Tim Howland at December 2, 2005 10:49 AM

Sony needs to rethink their DRM strategy as they are alienating their user base.

Posted by: cstar at December 2, 2005 12:06 PM

Poor, poor, poor, reporting - you neither understand or grasp the importance and depth of the issues - ethical, technical and business related. I expect more of Business Week.

Posted by: Keith Errington at December 2, 2005 06:56 PM

I've been following this story, and the calls for a boycott of Sony products, for a while. I had to buy a few pairs of headphones recently and avoided Sony (not easy, they make up about 90% of the headphone aisle) because of their behavior.

I take this very seriously. Sony, and other companies, need to realize that to a heavy computer user, a computer is like a 2nd brain. Any attempt to compromise it's capabilities or security, or to covertly collect information from it is absolutely unacceptable.

Posted by: john at December 2, 2005 08:07 PM

What horrible reporting, I find it hard to believe that someone who claims to be well-informed on technology could compare two extremely different cases, one of a music company including unwanted potentially dangerous software on a MUSIC CD and a software company selling operating system software that is vulnerable to attacks by hackers. The expectations of consumers in buying the two products are extremely different. Buyers who buy the Windows Operating System know that the system is insecure against malicious attacks by outside parties, but still choose to do so. On the other hand, consumers of Sony's music cds have NO IDEA that the company is installing rootkit software on their computers, software that reports information about their computer to Sony without their permission. Finally, while Sony deliberately placed the rootkit software on their cds, Microsoft in no way supported or condoned the Sober worm.

Moreover, did I just see you compare Sony's rootkit software to the Sober worm and say that in comparison, Sony's software is less malicious. That is a ridiculous comparison. Of course, the Sober worm is more dangerous, but Sober's creator was not a multi-national corporation. In fact, it is sad that a previously well-respected company like Sony would engage in the kind of practices that would lead it to be compared to the author of Sober.

In the future, please be more balanced and reasonable in your writing.

Posted by: John K at December 2, 2005 09:23 PM

Sony did the right thing? How in the world does he come to that conclusion? Either Steve Hamm didn't even read his own magazine's reports on this debacle. Or he's a Sony shrill. What about the other 20 million SunnComm CDs that Sony BMG has distributed with DRM spyware on them that installs whether or not the EULA is agreed to? What about the 1 million installations of the the XCP spyware that can't be removed? Why did Sony deny the problem for 6 weeks after they were imformed about it? Right thing. Not.